Stop Saying North Korea Didn't Hack Sony

Kim Jong Un gives field
guidance during a visit to the Pyongyang Catfish Farm in this
undated photo released by North Korea's Korean Central News
Agency (KCNA) in Pyongyang December 23, 2014.REUTERS/KCNA

At this point,
anyone who doubts that North Korea helped hack Sony is
disagreeing with several top cybersecurity firms and the US
intelligence community.

Nevertheless, many
smart people are highly skeptical that a tinpot dictatorship
with almost no internet connectivity could compromise an
American-based subsidiary of a multinational corporation.

While all are possibilities, there is no conclusive
evidence corroborating any of these theories.

On the other hand, there is a lot of evidence suggesting
North Korean involvement.

What We Know

On Nov. 24, computer screens of Sony employees flashed a
warning indicating the company's computer systems had been
compromised and data had been stolen.

Sony's systems were subsequently crippled. A unknown
group calling itself GOP claimed credit for the
hack.

The initial warning left
on Sony computers by hackers.GOP

Over the next few weeks, all hell broke loose in the
entertainment world. Hackers dumped information online and news
organizations scrambled to cover every possible angle. Threats of
violence against movie theaters led to Sony
canceling the Dec. 25 theatrical release of "The Interview,"
a film in which Seth Rogen and James Franco play talk show hosts
enlisted by the CIA to assassinate North Korean leader Kim Jong
Un.

American officials concluded that North Korea was
“centrally involved,” and intelligence officials
told The New York Times that the US intelligence community
"concluded that the cyberattack was both
state-sponsored and far more destructive than any seen before on
American soil."

The FBI's public
assessment, undertaken with assistance from other
intelligence services such as the NSA, cited technical analysis
of the code and overlap of techniques used in previous attacks of
this kind.

Immediately after the attack, cybersecurity experts began looking
at the code and techniques involved in the breach. Kaspersky Lab
and other cyber security firms found that
the malware involved in the Sony incident is capable of wiping
disk drives and other data. Kaspersky dubbed the malware
"Destover," noting that similar malware had been used in previous
attacks.

Computer researcher Kurt Baumgartner, drawing on Kaspersky's
initial investigation, detailed
how the Destover malware used in the Sony hack looks a lot like
two previous "wiper" attacks: One called "Shamoon," which
targeted 30,000 Saudi Aramco workstations in 2012, and
another called "Dark Seoul," which
targeted South Korean banks and two of the country's top
broadcasters the following year.

The warning left on South
Korean computers during the "Dark Seoul"
attack.Internet

Furthermore, Kaspersky notes that the defacement placed on Sony
employee computers is similar to the warning message in the "Dark
Seoul" attack, even down to the skull icons.

An assessment
by HP published on Dec. 19 detailed how "several
factors support that North Korea played a role in the
attacks."

HP noted that "it is difficult to discern whether the
regime acted alone. It is plausible that the actors responsible
for this attack relied on the assistance of an
insider."

Jason Lancaster, senior threat intelligence analyst at
HP, noted to Business Insider that "the system that was used by
the author of the malware use in the Sony case was compiled on a
windows system with a Korean language set, specifying its
keyboard. ... So the keyboard for the
system that was used to compile this malware ... was done in the
same way as other malware associated to it."

Investigative journalists at Krebs on Security noted
that like DarkSeoul, "the Destover wiper executables were
compiled somewhere between 48 hours prior to the attack and the
actual day of attack."

And CrowdStrike, a security firm that focuses heavily on
identifying attribution and actors behind major cybercrime
attacks,
had independently concluded that North Korea orchestrated the
hack before the FBI officially blamed Pyongyang.

“We have a high-confidence that this is a North Korean operator
based on the profiles seen dating back to 2006, including prior
espionage against the South Korean and US government and military
institutions,” said Dmitri Alperovitch, chief technology officer
and co-founder at CrowdStrike.

“These events are all connected, through both the
infrastructure overlap and the malware analysis, and they are
connected to the Sony attack,” Alperovitch added. “We haven’t
seen the skeptics produce any evidence that it wasn’t North
Korea, because there is pretty good technical attribution
here.”

Despite these assertions from experts and officials in the
know, the frank skepticism persists:

One day media analysts are going to look at Obama's Friday
press conference as one of the greatest presidential
snookerings in US history.